What Are HTTPS And SSL/TLS?

HTTPS is a secure method for transferring information on the Internet. With respect to your website, it does two important things:

Encrypts the data that's sent between a web browser and your site's server.

Authenticates that a web browser is indeed connected to the right web server, rather than a malicious imposter (known as a man in the middle attack).

You can tell if a website is using HTTPS by looking for https:// rather than http:// in your browser address bar. Additionally, most browsers now mark HTTPS with a green padlock:

To get HTTPS on your website, you need to install something called an SSL/TLS certificate. You'll often see people just call these "SSL certificates", but TLS is actually the more secure successor to SSL that's used today.

Why You Should Join The Majority And Move Your WordPress Site To HTTPS

The reasons behind this growth in adoption are a classic "carrot and stick" scenario.

On the carrot side, you have all kinds of benefits in the form of improved security, a positive SEO ranking factor, better credibility with your visitors, and more.

On the stick side, you have increasingly aggressive warnings to visitors of your website in Google Chrome (with other browsers following suit).

The Positive Benefits Of Moving Your Site To HTTPS

Even if you didn't have a big 'ole stick swinging at your head from Google (I'll talk about that in the next section), I think these reasons alone should be all that you need to convince you.

HTTPS Makes Your Website More Secure

This is the reason that so many big technology companies are pushing for HTTPS:

Using HTTPS makes your site more secure for both you and your visitors.

First off, if you ever log in to your WordPress site over public WIFI while using HTTP, you're exposing your admin login credentials to anyone who's interested. If you switch to HTTPS, those credentials are secure.

So on a selfish note - it's just a good practice to keep your site safe from malicious actors.

HTTPS does the same for your visitors. And, more importantly if you don't accept user registrations, HTTPS' authentication system also prevents malicious actors from impersonating your website in a man in the middle attack, which also helps keep your visitors safe.

HTTPS Is A Positive Ranking Factor In Google

Ok, I don't want to overstate this one because it's not like moving your WordPress site to HTTPS is going to instantly shoot your site up to the first position.

Other Smaller Benefits Of HTTPS

Beyond the two biggies above, HTTPS can also help get you:

More accurate Google Analytics referral data - Google Analytics doesn't show the referrer if a user comes from an HTTPS page to an HTTP page. By moving to HTTPS, you can see that referral data, though.

Better credibility with your visitors - even back in 2015, 28.9% of the people that GlobalSign surveyed looked for the green HTTPS address bar in their browsers. I'm sure that number has only grown.

Improved performance via HTTP/2 - if your host supports HTTP/2, moving to HTTPS allows you to use this protocol, which performs better than the older HTTP/1.

Browsers Are Going To Brand Your Site Not Secure If You Don't Get HTTPS

If the above benefits weren't enough to convince you to move your WordPress site to HTTPS, maybe this fact will give you an extra boost:

Google, through Chrome, is on the warpath to get webmasters to adopt HTTPS.

While sites using HTTPS get that nice green padlock and Secure text, sites still using HTTP get the opposite.

Google started out with some leniency, only marking input pages (like a login form) with a Not Secure warning starting in January 2017:

Yes - every single HTTP page will be marked as Not secure. That probably won't inspire a lot of confidence in your visitors, right?

That's why you need to start making plans to move your sites to HTTPS now. Because you don't want to be the person with a big fat Not Secure warning over your entire website come July 2018.

Will Moving To HTTPS Hurt Your Website's SEO?

This is the million dollar question.

Properly moving to HTTPS should not have any long-term negative effect on your site's rankings (a big emphasis on that "properly" part - that's what his post is about).

I haven't personally experienced any negative effects from moving any of my sites. And John Mueller (from Google) had this to say in his FAQ post:

"Fluctuations can happen with any bigger site change. We can't make any guarantees, but our systems are usually good with HTTP -> HTTPS moves."

Google can be a fickle beast, though, so I'm not going to sit here and 100% promise you that your site won't move at all.

Other Considerations For Moving Your Site To HTTPS

Beyond SEO, another thing that kind of sucks about moving your site to HTTPS is that you're going to lose the social share counts for your old posts.

There are some workarounds that I will discuss later on - but none of them work perfectly for all social share networks.

If you display share counts on your site, this is kind of a rough deal. But I don't think the negative of losing share counts is big enough to counteract all the benefits above.

How To Move Your WordPress Site From HTTP To HTTPS

To install a SSL certificate on your WordPress website, follow these 13 steps:

Install an SSL/TLS certificate on your server

Set up a 301 redirect for HTTP → HTTPS

Update all the internal links and media files on your site to use HTTPS

Check for mixed content warnings from third-party scripts/images

Update your CDN links (if using a CDN)

Change Cloudflare to full SSL (if using Cloudflare)

Migrate your Disqus comments (if using Disqus)

Create new Google Search Console properties

Update your site's URL in Google Analytics

Update all the links on your social profiles

Try to get as many external sites to update their links as possible

Update the links in other places, like email marketing software

Try to recover some share counts (if possible)

I know that seems like a ton - but it's not that time-consuming and the benefits are worth it. Let's get started!

Part 1: Getting HTTPS Working On Your WordPress Site

Before you get started with this section, I highly recommend that you back up your site. While you shouldn't experience any issues if you follow my guide to the letter, you will be editing essential parts of your site, so you definitely want a recent backup in hand.

Got your backup ready? Ok - continue.

Step 1: Install An SSL/TLS Certificate At Your Host

Unfortunately, this is the one step in this guide where I can't give you a specific tutorial because the process varies depending on where you're hosting your site.

Nowadays, most hosts give you the option of installing an SSL/TLS certificate for free thanks to a service called Let's Encrypt.

Usually, this only involves clicking a few buttons in cPanel. And some hosts will even handle some of the other technical steps for you.

They've made it super easy to switch your site to HTTPS in just a few simple clicks. Watch the video below:

TUNG TRAN

Founder of CloudLiving.com

How To Check If Your SSL/TLS Certificate Is Working

Once you install your SSL/TLS certificate, you should be able to access your site at https://www.yoursite.com and see the green padlock (you might also see a mixed content error instead of the green padlock. That's fine for now - we'll fix that in a second).

Right-click and download a copy of your existing .htaccess file as a backup (this is important - make sure you have a backup of this file just in case. If anything goes wrong, you can just upload the backup version)

Right-click and edit your .htaccess file

Add the code snippet above to the top of the file and save your changes

Once you save your .htaccess file, try to visit the http:// version of your site. If you did it right, you should be taken straight to the secure https:// version of the same page on your site.

Step 3: Update All Internal Links And Media Files

Now your site is running on HTTPS, but there's still one problem:

All of your internal links, including all the images and other media that you've inserted in your content, are still using HTTP. That's going to trigger something called a Mixed Content Error and you won't get the green padlock.

The mixed content error basically means that assets are being loaded over both HTTPS and HTTP. Because not everything is loading over HTTPS, your site still isn't 100% secure:

To fix this, you need to edit all of the internal URLs in your database to use https:// instead of http://.

Don't worry - this is easier than it sounds. Rather than querying your database directly, you can use a simple, and free, plugin called Better Search Replace.

Install and activate the plugin. Then:

Make sure you have a backup of your database before doing anything.

If you ignored me and didn't back up earlier, UpdraftPlus lets you run a backup specifically on your database.

Go to Tools → Better Search Replace

Enter http://www.yourdomain.com in the Search for box (make sure to replace with your actual domain name. And if you don't use www in your domain, leave that out).

Enter https://www.yourdomain.com in the Replace with box (again, make sure to replace with your own domain and leave out the www part if you don't use www on your site).

Select all the tables in the Select tables area.

Leave the Run as dry run? box checked and click Run Search/Replace. This will start a test run.

Better Search Replace will run a test replacement. You can see these results at the top.

If you see something like X cells were found that need to be updated, that's good (your number will be a lot higher than my test site's number):

Now:

Uncheck the box for Run as dry run?

Click Run Search/Replace to run the database replacement for real

Step 4: Check For External Mixed Content

Now, everything on your own server should be using HTTPS. But you still might get the mixed content error because of external scripts that you're loading.

Google Search Console will treat the HTTPS version of your site as a separate entity:

To fix that, go to Search Console and create two new properties for the www and non-www HTTPS versions of your site:

To fix that, go to Search Console and create two new properties for the www and non-www HTTPS versions of your site:

https://www.yoursite.com

https://yoursite.com

On these new properties, make sure to:

Add your sitemap again

Resubmit your disavow file if you're using one (this one is super important)

Add any other desired settings (like how you prefer Google to show your URL in search)

You can download your disavow file from the HTTP property and then simply upload it to the new HTTPS properties.

If you're using other search engines' webmaster tools, you'll also want to do the same for those tools.

Step 9: Update Your Site's URL In Google Analytics

To use the HTTPS version of your site in Google Analytics:

Go to Admin in your Google Analytics dashboard

Choose Property Settings

Select https:// from the Default URL drop-down

Step 10: Update All The Links On Your Social Profiles

Go through:

Facebook

Twitter

Pinterest

Instagram

YouTube

Any other social networks that you use

And update all the profile links to use the new HTTPS version of your site.

Step 11: Try To Get As Many External Links Updated As Possible

​NOTE:

​Don't fixate too much on this. You already set up a 301 redirect, so all your existing links will still go to the right place and pass link juice.

This is just a "nice to have" thing if it's easy to swap out the links.

COLIN NEWCOMER

Contributing Writer, CloudLiving.com

While you'll never be able to update all of your external links, if it's not too time-consuming, you should try to update any of the links you have control over.

For example, if you already have a relationship with a webmaster, just shoot them an email and see if they'll do you a favor. Or, if you wrote a guest post, reach out to the editor again to see if they wouldn't mind inserting that extra "s" for you.

Step 12: Think Of Other Places With Links To Update

There still might be some other spots with links that you can update. Possible culprits are:

Email marketing software

Facebook ads (might as well cut out that redirect hop)

Any other tool you use that links to your site

Step 13: Try To Recover Social Share Counts

If you're deeply saddened by the loss of your social share counts, here are some ways to try to recover your old HTTP share counts:

The Social Warfare plugin can help you recover share counts for Pinterest and LinkedIn (and will try for others, but does not guarantee it).

I believe every webmaster today already know that benefits of migrating from http to https, but the major problem most people usually face is how to do it correctly without having any issues. Because if it’s done poorly, there will be problem.

I was able to set up my own pretty easily last year, but I’m sure this post will help guide a lot of people on how to do it.

Your guide makes me confident to migrate my website from http to https. And 2 days ago I did it, I migrated my website to https and so far there has been no drop in traffic, even my website in Google search results has changed to https and it’s good to see there is no downgrade of ranking, still same as before. Thank you Tung, you saved my life!

Thank you for the really good overview of how to do this. I’ve been lucky in that my host handled most of it and all I had to do was install the Really Simple SSL plugin on my WordPress sites, poof, magical green lock. But I’ve been seeing a lot of people are having trouble getting theirs set up, so now I know where to send them for step-by-step instructions 🙂

After placing this code that you posted in .htaccess file RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] I do get a redirection, but only home page. If i tryhttp://www.mysite.com/contact/ that page open, it is not redirected to https Any help with this ?

Great post. Thanks for load for wording this out so clearly. Moving eveything to https tool me less than an hour (because I had to backupp my site and download everything. Thanks again for this amazing share 🙂

Thank you for this amazing guide and making it easy for us non-techies. I have put off the task of changing my sites to hpps for so long because it just seemed so complicated. But with your guide I managed it! I am so happy!

However, I do have a question:

Referring to Step 8: after creating both the www and non-www https versions of your site in Google Search Console, do I then delete the old http ones (http://www and http://)already listed there?

Hi Tung and Colin, thank you for this super helpful article. I have a question: I’m using Cloudflare and have the Full SSL setting On. Since Cloudflare is a CDN service as well, do I also need to update CDN on Cloudflare, or does this setting (Full SLL) do the job?

Hi Tung, thanks for your reply. It looks like my question wasn’t clear, sorry. I did install SSL on my hosting (everything works fine, I have a green lock without any errors) and I was referring to Steps 5 and 6 of this article.

In Step 5 it says “Update CDN”. I’m using CDN through Cloudflare, and since Step 6 says “Switch To Full SSL On Cloudflare”, I was wondering if this Step 6 is enough (and I basically skip the Step 5) or if I have to do something else inside of Cloudflare to update CDN? I couldn’t find any information on this in Cloudflare help, so I aussume it’s not necessary and “Full SLL” setting does the job.

Great article to install free SSL certificate to increase the security level. But many people are still unaware that they can do it for free. Your list of servers providing free SSL encryption will help them do it at no cost. As it is also a lightweight ranking signal, it is quite important today. Thank you for your guide to switch a WordPress site from HTTP to HTTPS.